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® Dual computer cross-checking system. 



© A dual computer cross-checking system in- 
cludes a control computer (10) for controlling a pro- 
cess in accordance with input data and a monitoring 
computer (12). The two computers are interconneted 
to exchange check data on a cyclic basis, each 
computer carrying out a number of processing oper- 
ations on the received check data before transmitting 
the data thus processed to the other computer. In 
addition, each computer checks the received check 
data against an expected value. An error condition is 

^detected if the result of at least one of these com- 

^ parisons is found to be incorrect. 
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DUAL COMPUTER 



This invention relates to a dual computer 
cross-checking system for use in a high integrity 
control system. 

By way of example, the invention is applicable 
to a vehicle anti-skid brake control system, in 
which a computer is used to process data received 
from wheel speed transducers and to control the 
release of the brake of a particular wheel when the 
deceleration of that wheel is too rapid. 

Clearly, in a system of this kind it is important 
to ensure that a computer failure does not give rise 
to a condition in which a brake is released when no 
skid condition exists. It has already been proposed 
to include in the system two identical computers 
which both receive the same input signals and, 
when operating correctly, both produce the same 
control output signals. Connections are provided 
between the two computers to enable each to 
monitor the control output signals of the other. 
Redundant processing is used to compare the out- 
put signals and if discrepancies between these 
control output signals arise, anti-skid operation is 
inhibited, so that the braking system operates as a 
normal system without anti-skid operation. 

This prior proposal has several disadvantages. 
Firstly, it is necessary to duplicate the relatively 
expensive, high powered computer. Secondly a 
large number of interconnections between the com- 
puters is required if the system includes several 
independent channels, as is customary. This may 
mean that more expensive computers have to be 
used. Thirdly, generally speaking, there are only 
control outputs from the computers when an actual 
skid situation arises and actual complete cross- 
checking therefore occurs only rarely. Fourthly the 
use of identical computers with identical programs 
will not reveal a program fault if this exists in a 
routine which is exercised only under special cir- 
cumstances and it is possible, using identical de- 
vices from the same wafer powered by a common 
supply, that supply disturbance can produce similar 
computer faults which remain undiscovered unless 
they represent massive failures. 

It is an object of the invention to provide a dual 
computer cross-checking system which overcomes 
these disadvantages. 

In accordance with the invention there is pro- 
vided a dual computer cross-checking system 
comprising a control computer, control data supply 
means for supplying control data to the control 
computer, said control computer processing said 
control data and producing control output signals, a 
monitoring computer for checking the operation of 
the control computer, said control computer and 
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said monitoring computer being arranged to inter- 
change check data on a cyclic basis, each com- 
puter carrying out a predetermined calculation on 
the check data it receives from the other computer 

s and each computer checking that the check data 
received from the other computer bears a predeter- 
mined relationship to the check data jt transmitted 
to the other computer in the previous cycle and 
shut-down means controlled by both computers for 

ro shutting down the control system in the event that 
at least one of said checking operations reveals a 
discrepancy. 

With such an arrangement, the monitoring 
computer may be of a less expensive, less pow- 

T5 erful type than the control computer. It may, for 
example, run at a lower clock frequency. 

Preferably one of the two computers operates 
as a master computer controlling the timing of 
check data interchange. It is preferable that it 

20 should be the control computer which is the master 
computer so that the check data interchange can 
be timed to coincide with precise points in the 
control operating cycle thereof. Failure to receive 
check data at the precise point when it is expected 

25 is interpreted as a failure which causes said shut- 
down means to operate. 

The check data may consist of a single byte 
which may be transmitted either serially or in par- 
allel between the two computers.. In this case the 

30 predetermined calculation carried out by each 
computer may include the addition of a prime 
number to the value of the byte in each cycle. 
Such addition is preferably effected in a series of 
separate stages throughout the operating cycle of 

35 the computer in question. Further "calculation" op- 
erations may include, for example, the reversal of 
the order of the individual bits of the control data 
byte. Preferably the algorithms used by the two 
computers are different although the overall result 

40 of each algorithm is the same. 

The shut-down means may be arranged to 
operate on the first occasion that a check data 
discrepancy is found. However, if the control sys- 
tem is to be used in a noisy environment, such as 

45 in a motor vehicle brake control system, it is pref- 
erable to arrange for each computer to maintain a 
count of discrepancies occurring in a period and to 
operate said shut-down means only if such count 
reaches a preset level. Thus, for example, each 

so computer may have two counters (in its software) 
one of which counts the number of correct check 
cycles and the other of which counts the number of 
check cycles in which a discrepancy occurs, said 
other counter being decremented (if not already at 
a count of zero) each time a predetermined num- 

2 
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ber of counts is made by the first-mentioned coun- 
ter. 

The invention is described further hereinafter, 
by way of example only, with reference to the 
accompanying drawings, in which:- 

Figure 1 is a block diagram of an anti-lock 
braking system which incorporates an example of a 
dual computer cross-checking system in accor- 
dance with the invention; 

Figure. 2 is a timing chart showing an exam- 
ple of the timing of check data interchange; 

Figure 3 is a table illustrating an example of 
the check data algorithms for the two computers, 
and 

Figure 4 is a table illustrating an example of 
the main control cycle of one of the two computers. 

Referring firstly to Figure 1 , the system shown 
includes a main control microcomputer 10 which 
receives control input data from four wheel speed 
sensors St to S4 and controls four solenoids SOU 
to SOU in accordance with the input data as well 
as controlling a pump relay 11. The main computer 
thus performs the task of data gathering from the 
wheel speed sensors and making control decisions 
which are relayed to the brakes by solenoid drive 
signals. Additionally the main computer has a 
pump motor drive signal which energises a relay 
11 to ensure the brake reapply energy source, a 
shut down relay 14 drive signal which is normally 
energised so as to connect the battery B + supply 
to the solenoids and the pump motor relay coil, 
and a lamp drive signal to illuminate a fault warning 
lamp 15 in the event of any failure being detected. 
This latter signal is taken to the driver stage via an 
OR gate G1 where it is combined with a similar 
signal from the monitor computer so that either 
signal being active will switch on the lamp 13. 

Generally speaking the system operates in 
known manner such that if any. wheel is found to 
be slowing down too rapidly during a braking op- 
eration, the corresponding solenoid is energised 
and operates a valve which cuts the brake of the 
wheel in question off from the brake master cyl- 
inder and allows brake fluid to be released into a 
reservoir from which it is returned in due course by 
the pump which is controlled by relay 11, so as to 
reapply the brake. 

A monitoring microcomputer 12 is also includ- 
ed for monitoring the operation of the control com- 
puter. This monitoring computer has its own clock 
which may run at a lower speed than that of the 
control computer. It is preferably a cheaper, less 
powerful device than the control computer, having 
less RAM and less ROM and it may be a com- 
pletely different type from the control computer 10. 

This monitoring computer 12 can be connected 
to the control computer by three lines only, i.e. S Q . 



Si and SM. Line S 0 connects a serial output of the 
monitoring computer 12 to a serial input of the 
control computer. Line Si connects a serial output 
of the control computer to a serial input of the 

5 monitoring computer and line SM connects a syn- 
chronisation output of the control computer to a 
corresponding input of the monitoring computer. 
The serial output from the monitor computer can 
be taken from a generated serial port on the moni- 

70 tor computer in the event that a very tow cost 
device is used which does not have a serial I/O 
facility. (As will be evident, two computers both 
with dedicated I/O could be interconnected with 
greater ease, or parallel data exchanges could be 

75 substituted if very rapid transfers were required 
and a higher cost incurred). The Si and SM lines 
are also connected to a gate Ga to provide serial 
data to a diagnostic output. 

Under all normal operating conditions, there is 

20 a predictable sequence of data flow between the 
two computers, resultant processing of this check 
data within both computers and regular synch- 
ronisation of the independently clocked monitor 
computer from the main computer. Additionally, 

25 both computers provide drive signals to the shut 
down relay drive stage via AND gate G2 in order to 
maintain the energisation of relay FS and -thereby 
the connection of power to the solenoids and pump 
relay PM. Further outputs are provided by each 

30 computer to OR gate G1 in the lamp drive input 
circuit but these signals are inactive until there is a 
fault condition detected by either one of the com- 
puters. 

The main and monitor computers have sepa- 
as rate clock crystals, the main computer being used 
as the master timing element to which the -control 
accuracy is related. This master timing cycle is set 
typically at 8mS or l6mS and control decisions are 
made in each cycle on the basis of data gathered 
40 in the previous cycle, with the output signals to the 
solenoid valves being generated as soon as the 
control algorithm is completed. In some systems 
the main computer serial output may also be used 
to output , a data byte at each cycle period, for 
4S diagnostic purposes. If this is the case, the cycle 
may be split into two halves by a master timing 
waveform generated by the master microcomputer. 
This is shown in Fig.2 where the SM waveform 
from the master computer selects the UART con- 
so nection as a diagnostic output when low and, on 
the low-to-high transition effects the timing re-syn- 
chronisation of the monitor computer. With SM 
high the serial output will be directed to the cross- 
checking inter- communication task between the 
55 two computers which may takp place at a different 
data transmission (baud rate) than the diagnostic 
communication. 

The typical timing waveforms shown in Fig .2 
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are based on an 8mS cycle which commences with 
a synchronising edge as the SM line changes from 
a 0-1 . The monitor computer timing is restarted at 
: this edge and a window is opened for a short 
period in which a byte is expected from the main 
computer. This byte will be the response to the 
stimulus sent out from the monitoring computer 
during a set period within the previous cycle. Cor- 
rect receipt of this byte CHECKR results in the 
internal check taking place within the monitor when 
CHECKR is compared with the monitor computer's 
calculated reply. Agreement produces the already 
calculated next stimulus for transmission to the 
main computer, at a given time after the rising 
edge of the SM wave form which performed synch- 
ronisation. The main computer has typically some 
7mSec in which to process this stimulus data and 
ready the reply byte CHECKR for transmission just 
after the next synchronising edge. 

Referring again to Fig,2, the upper trace 2a 
shows the signal of the SM line, which, as shown, 
is alternately high for 4mS and low for 4mS. The 
rising edges of this waveform trigger transmission 
of serial data to the monitoring computer whilst the 
low SM gate level triggers transmission of serial 
data to the diagnostic output. The trace 2b shows 
the data transmission periods for the control com- 
puter 10, on line Si whilst trace 2c shows the 
transmission periods for the monitoring computer 12 
on line S 0 - 

As explained above, the control computer 10 
acts as the master computer in this data transmis- 
sion scheme, each new cycle starting with the 
transmission of check data from the control com- 
puter 10 to the monitoring computer. After a fixed 
time, during which the monitor computer tests the 
check data result received from the control com- 
puter, the monitoring computer transmits to the 
control computer the next byte of check data. 

The checking sequence is as follows:- 

(a) A check reply byte is transmitted from 
the main computer at a specific point in each 8mS 
cycle, in response to a stimulus byte received from 
the monitor computer in the previous cycle. 

(b) Reception of this byte at the monitor 
computer causes a check on the data value and If 
correct a new stimulus byte is issued and transmit- 
ted serially to the main computer to form the next 

. stimulus. Again a timing window is generated dur- 
ing which this stimulus is acceptable to the main 
computer. 

(c) Data processing takes place on the 
stimulus data generated by the monitor computer 
in order that the main, computer can generate th 
response byte. 



(d) The monitor computer also computes the 
response byte so that it knows the data value to 
expect from the main computer response and can 
check for equality on receipt. 

5 (e) The monitor computer is programmed to 

calculate the next stimulus byte from the previous 
check reply byte so that a known progression can 
be produced. 

(f) The main computer is programmed to 

w also calculate the next stimulus byte that should be 
presented from the monitor by simple processing 
of the previous stimulus data. The first check on 
the stimulus received by the main computer must 
show agreement with the internally calculated ex- 

75 pected stimulus or the required processing in the 
main computer is not undertaken and the return 
byte in the next cycle is omitted. 

In this computer cross-checking combination. 

20 both the monitor and main computers are required 
to produce a specified output signal to prevent 
system shut down. Thus, if either computer re- 
ceives an input check byte which differs from that 
which is expected (through internal calculation) the 

25 local support signal which maintains operation will 
be removed. Typically this support signal combina- 
tion maintains the energisation of the shut down 
relay I4 t so that removal of either support signal will 
release this relay 14 and disable ail control outputs 

30 from the controller. Clearly in some systems this 
relay can be effected by a solid state switch and 
the release signal may be used to effect the selec- 
tion of some suitable default settings should the 
process be a vital vehicle function from which 

35 control cannot be completely withdrawn. Current 
practice in anti-lock braking systems however, is to 
disable the output signals to the solenoids, thereby 
reverting to normal brakes and issuing from either 
computer, where the failure was detected, a signal 

4Q which lights the fault warning lamp 13. 

The process chosen for each check stimulus to 
be subjected to before the reply byte is produced 
can be complex and is of course open to great 
variation as selected by the system designer. It 

45 may not always be the same process since, de- 
pending on the value of the stimulus byte, one of a 
pre-arranged selection of processes pre-pro- 
grammed into both computers, could be chosen. 
Fig .3 shows, for the purpose of a simple illustra- 

so tion, one way in which the two computers use the 
check data to cross-check on the operation of the 
other. At the commencement of the first cycle of 
operation of the system, the monitor computer has 
a check data byte 0000 0000 and transmits this at 

55 the appropriate time to the main control computer. 
The check data is transmitted bit by bit with the 
most significant bit first and this bit becomes the 
least significant bit of the byte received by the 
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control computer. The first operation carried out by 
the control computer on the check data byte is to 
reverse the order of its bits (at this stage this is 
insignificant as the bits are all zero, but in later 
cycles it is of significance). A prime number, such 
as 1 9, is now added to the byte held in the control 
computer so that a value of 0001 0011 is gen- 
erated. The order of the bits in this byte is then 
reversed again and the byte is transmitted to the 
monitor computer at the appropriate time. The val- 
ue of the received byte (which is stored with its bits 
in reversed order) is compared with a value gen- 
erated by adding 19 to the original value of the 
byte sent in the previous cycle. If the comparison 
verifies that the values are the same the next value 
to be transmitted is generated by adding 4 to the 
received byte (i.e. 0001 0111) which is transmitted 
to the control computer and received again with the 
order of the bits reversed. On receipt by the control 
computer the bits are rewritten in reverse order and 
the resulting byte is compared with the value of the 
last byte received in reverse order plus 23. If this 
comparison is correct then 19 is added again, the 
bit order is reversed and the resulting byte is 
transmitted and so on. The bit reversals are an 
extra task which is useful for control computer 
checking, but these are not an essential part of the 
data transfer test. 

It should be emphasised that the number 19 
chosen for the above example is in no way signifi- 
cant. What is significant however, is the progres- 
sion from one check stimulus value to the next. 
This is set at 23, though any prime number would 
be satisfactory, so that over 256 data exchanges 
every possible combination of bits in an 8-bit byte 
is used for both stimulus and reply. Thus, over a 2- 
sec period the test processing will be repeated for 
a sufficient number of times to carry out a full 
capability check of all the parallel parts of the 
major elements of each computer's processing cir- 
cuitry. 

Thus, in the example illustrated above, the 
main computer process will be seen from the table 
of Fig .3 to comprise typically the following steps:- 

(1) Receive a stimulus data byte at a precise 
time in the cycle. 

(2) Reverse the order of all bits of this byte 
which is transmitted in reverse. 

(3) Test this value against the stored ex- 
pected value and calculate the next expected value 
by adding 23 and store. 

(4) If the correct stimulus has been received 
add the constant* 19 by whatever multi-step method 
the system designer has selected. 

(5) Reverse the order of all bits of the result. 

(6) Transmit the result to the monitor just 
after the synchronising edge. 
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The main task in this routine, that of adding 19 
to the stimulus byte, can obviously be done in a 
single step or much more usefully can be done by 
a complex and multi-step process which is as long 

5 and involved as is practical considering the main 
control task and the time and capacity restrictions 
placed on the main computer. Typically this Addi- 
tion of 19 will be split up into a sufficient number of- 
steps so that these can be distributed into the main 

w control task of the computer in such a way as to 
test the computer instructions and facilities such as 
index register addressing, stack operation and 
some conditional branching. When the main com- 
puter control program operates on a known cycle 

/s the steps to achieve the addition of 19 are distrib- 
uted into the normal control routines so that any 
skipping of any routine will miss out a vital step in 
the said 'addition 1 process, thereby producing an 
incorrect result which will indicate a failure causing 

20 the monitor computer to give shut down. 

Fig A illustrates an example of a typical anti- 
lock control program wherein the processing of the 
check data received by the control computer 10 is 
not carried out immediately on receipt, but is 

25 spread over the entire cycle of the main computer 
10. Thus the first bit order reversal, the comparison 
with the last data byte received, the addition and 
the second bit order reversal can be broken down 
into separate stages interposed with the -various 

30 control tasks carried out by the control computer. 
In particular, as explained above; the task of adding 
19 can be split and made into an operation of 
considerable complexity involving adding or sub- 
tracting different values at a plurality of different 

35 points in the cycle. Other possible operations may 
involve moving the byte between different regis- 
ters, stack operations and some conditional branch- 
ing. These routines may be embedded in different 
subroutines of the main control program so that if 

40 any subroutine is missed for any reason a vital 
step in the addition of 19 is omitted there will be an 
error in the addition. 

Returning now to Figure 1 it will be seen that 
further gates Gi and G2 have inputs from further 

45 output connections of the two computers 10 and 
12. These gates control a lamp 13 and a solenoid 
disconnect relay 14 respectively. The lamp is lit 
and the solenoid power supply disconnected if 
either of the two computers removes a GO signal 

50 indicated either that an expected byte of check 
data has not been recieved or that the result of the 
comparison referred to was unsatisfactory. The GO 
signal may be removed whenever a single error 
occurs. Alternatively, the software of each com- 

55 puter may include two counters, one of which is 
incremented each time an incorrect comparison is 
made, and the other of which is incremented each , 
time a good comparison is made, provided the first 

5 
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mentioned counter is not at zero. This is arranged 
to decrement the count of the first counter after a 
preset number of correct comparisons unless the 
count of the other counter is already zero. If the 
count held by the first counter reaches a threshold 5 
level, the GO signal is removed. The preset level 
and the threshold level are chosen by the designer 
to provide a noise tolerance level to suit the pro- 
cess controlled and the electrical environment. 

The system described above requests both 10 
computers to continually progress through repeat- 
ed sequences of check data and is characterised 
by an organisation which requires any single error 
or comparison, whether resulting from calculation 
or transmission, to cause shut down. However, for 15 
some systems which may have to operate in a 
very noisy environment, e.g. where power supplies 
have considerable transients superimposed, there 
may exist a range of conditions under which check 
data transmissions may be affected causing an 20 
error and consequent shut down of what is other- 
wise a perfectly good system. Under these cir- 
cumstances it is desirable to have built into the 
operating scheme of the computer combinaiton, a 
defined level of fault tolerance. To achieve this, the 25 
checking scheme must be modified so that a single 
error is registered but does not cause system shut 
down and if the thread of the stimulus data pro- 
gression is lost due to a transmission error, this 
can be recovered and the sequence re-instated at 30 
a suitable point. This can be achieved in total by a 
software variation to the scheme described above 
by arranging that the main computer calculates the 
next expected stimulus data by always adding 23 
to the previously received stimulus byte, even if 35 
this was incorrect, and the monitor computer al- 
ways calculates the expected result by adding 19 
to the stimulus data output in the previous cycle. 
Further, if no agreement between the expected 
result and the received result is obtained, the next . 40 
stimulus is issued as either 4 + the received result 
or 4+ the calculated result but neither the monitor 
or main computers cause immediate shut down. 
Either computer receiving data which appears in- 
correct enters a fault pending state by registering 45 
internally, a non-zero count in a suspected fault 
location. If this fault is repeated, the suspect count 
is incremented until a count of nl is registered at 
either computer, at which point a local shut down is 
generated as a non-transient check failure is 50 
deemed to have been detected. In the event of a 
transient failure, e.g. due to a transmission interfer- 
ence, the suspect fault counter will be incremented 
away from zero but non-repetitive failures to cause 
the sequence of data exchanges to be re-instated 55 
satisfactorily at a typical count of 1 or 2. Under 
these intermediate non-zero conditions in the sus- 
pect counter, a second counter is enabled to count 



the exchange cycles in which no fault is recorded 
and, should this counter reach level n2, this count 
is set back to zero and the suspect count is re- 
duced. Continuing correct data exchanges reduce 
the suspect counter eventually to zero when all 
counting is discontinued until such time as another 
faulty exchange of data is detected. By suitable 
choise of values for n1 and n2 the tolerance level 
can be adjusted to a setting which is appropriate to 
the process and the electrical environment. 

It will be appreciated that the sytems described 
above can be particularly suitable for lower cost ' 
anti-lock installations in that the two computers 
need not be identical and are not therefore subject 
to the same failure modes, yet are able to contin- 
ually cross-check each other's operation so as to 
critically detect any serious failure in their process- 
ing function or operating cycle. A substantial cost 
saving can be made compared to known systems 
since there is a main computer and lower cost 
monitoring computer used in the combination, in 
place of two expensive main computers, but the 
cross-checking function is continuous and does not 
depend upon the occurrence of skidding input sig- 
nals to make a full operational cross-checking avail- 
able. 



Claims 

1. A dual computer cross-checking system 
comprising a control computer (10), a control data 
supply means (S1-S*) for supplying control data to 
the control computer (10), said control computer 
(10) processing said control data and producing 
control output signals, and a monitoring computer 
(12) for checking the operation of the control com- 
puter, characterised in that the control computer 
(10) and the monitoring computer (12) are arranged 
to interchange check data on a cyclic basis, each 
computer (10, 12) carrying out a predetermined 
calculation on the check data it receives from the 
other computer and each computer checking that 
the check data received from the other computer 
bears a predetermined relationship to the. check 
data it transmitted to the other computer in the 
previous cycle, and shut-down means (14) con- 
trolled by both computers (10, 12) for shutting 
down the control system in the event that at least 
one of said checking operations reveals a dis- 
crepancy. 

2. A dual computer cross-checking system as 
claimed in claim 1, wherein the monitoring com- 
puter (12) is of a less powerful type than the 
control computer (10). 

3. A dual computer cross-checking system as 
claimed in claim 1 or 2, wherein one of the two 
computers (10, 12) operates as a master computer, 
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controlling the timing of check data interchange 
such as to synchronise the operation of the other 
computer and the transmission of each element of 
check data to coincide with precise predetermined 
points in the operating cycle of that computer .op- 
erated as the master. 

4. A dual computer cross-checking system as 
claimed in claim 1 or 2, wherein both computers 
are constrained to receive the respective transmis- 
sions of the other at precise predetermined points 
in a master operating cycle, failure of such recep- 
tion being interpreted as an operating fault which 
causes said shut-down means to operate. 

5. A dual computer cross-checking system as 
claimed in claim 1 or 2, wherein the control com- 
puter (10) operates as a master computer control- 
ling the timing of check data interchange to co- 
incide with precise points in the control operating 
cycle thereof, failure to receive check data at the 
precise point when it is expected being interpreted 
as a failure which causes said shutdown means to 
operate. 

6. A duai computer cross-checking system as 
claimed in claim 5, wherein the main computer (10) 
acting as the master, conveys a master timing 
cycle to the other computer (12) by a synch- 
ronising means (SYNC) in each cycle of control 
operation, the timing of all data exchanges being 
made in relation to the active transition of this 
synchronising means (SYNC). 

7. A dual computer cross-checking system as 
claimed in any of claims 1 to 6, wherein the check 
data consists of a single byte which is transmitted 
either serially or in parallel between the two com- 
puters (10. 12), the pre-determined calculation car- 
ried out by each computer including the addition of 
a prime number to the value of the byte in each 
cycle. 

8. A dual computer cross-checking system as 
claimed in claim 7, wherein said predetermined 
calculation is not performed as a single routine but 
is broken down into a plurality of sub-routines 
which are distributed throughout the control pro- 
cessing sequence. 

9. A dual computer cross-checking system as 
claimed in claim 8, wherein said predetermined 
calculation process, once broken down into a num- 
ber of stages, is further complicated to use a 
multiplicity of the features and facilities available in 
the respective computer, whereby to more com- 
pletely check the operation of that computer. 

10. A dual computer cross-checking system as 
claimed in any of claims 1 to 9, wherein the shut- 
down means is arranged to operate on the first 
occasion that a check byte discrepancy is found. 

1 1 . A dual computer cross-checking system as . 
claimed in any of claims 1 to 9, wherein a fault 
tolerance level is introduced by arranging for each 



computer to maintain a count of discrepancies oc- 
curing in a period and for said shut-down means to 
be operated only if such count reaches a predeter- 
mined level. 

5 12. A dual computer cross-checking system as 

claimed in claim 11 wherein each computer in- 
cludes two counters in its software, one of which 
counts the number of correct check cycles and the 
other of which counts the number of check cycles 

w in which a discrepancy occurs, said other counter 
being decremented (if not already- at a count of 
zero) each time a predetermined number of counts 
is made by the first-mentioned counter. 

13. A dual computer cross-checking systen as 

15 claimed in any of claims 1 to 9, in which a fault 
tolerance level is introduced by arranging for the 
control computer (10) to compare each newly re- 
ceived stimulus byte with the previous similar byte 
and, if the preprogrammed difference is not de- 

20 tected, shut-down is not immediately effected but 
is delayed until a first counter, which is incre- 
mented away from zero at each comparison failure, 
reaches a preset first count, and wherein, at inter- 
mediate non-zero values of this first counter, a 

25 second counter is incremented at each -correct 
comparison such that when this second counter 
reaches a second preset level it is reset and th 
first counter is reduced, this process being re- 
peated until either the first counter is reduced to 

30 zero again or the first preset count is reached and 
shut-down occurs, and wherein the monitor com- 
puter (12), which compares each received reply 
byte with its internally calculated reply, is similarly 
equipped with first and second counters operating 

35 in an entirely comparable manner to those of the 
control computer (10). ~- 
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